More SCADA app vulnerabilities found

Post navigation

A big motivation for pulling software apart to find security flaws is the idealistic hope that developers will get the message and do a better job next time.

But what happens if they don’t?

It’s something that must have researchers at security consultancies IOActive Labs and Embedi pulling out their hair, assuming they have any left.

Two years ago, they jointly found 50 weaknesses in the security of 20 mobile apps used by a plethora of SCADA Industrial Control Systems (ICS) sectors covering things like power, water, and manufacturing.

Not good news exactly, but at least the problems were public domain and that meant they’d be fixed.

Perhaps the app boom has lowered standards in a sector that rewards clever functions, performance and rapid development. If so, these apps simply manifest the same sorts of slapdash development that have affected other app sectors such as remote banking.

If that’s the case – and it’s hard not to imagine that it might be in at least some cases – it’s short-termism of the worst kind.

Say IOActive and Embedi:

The industry should start to pay attention to the security posture of its SCADA mobile applications, before it is too late.

The researchers have informed the affected vendors of the problems in the apps.

You can understand why so many ICS companies want to offer customers the ability to access monitoring and control using a mobile app. But on this evidence, it looks as if they are solving their problem today at the expense of creating a bigger one down the line for everyone.